Rule Lifecycle Management

Overview

Ensure continuous security policy validation with rule lifecycle processes that enforce recertification schedules and rule attestation for accountability and audit readiness.

As security policies evolve over time, rules that are no longer reviewed or owned can introduce unnecessary risk and compliance gaps. To maintain a secure and compliant environment, security rules must remain justified, owned, and regularly validated throughout their lifecycle.

Rule Lifecycle Management (RLM) guides you through implementing structured rule recertification and attestation using two complementary approaches, depending on scale and operational needs.

• SecureChange workflows: For targeted, rule-specific reviews, use SecureChange workflows to manage certification decisions for a selected subset of rules. This approach is ideal when you need controlled, auditable reviews for specific rules, allowing policy owners to certify or decertify rules, update metadata, and extend expiration dates through governed workflows.

• Rule Lifecycle Management (RLM) application extension:  For large-scale, continuous certification decisions, use the RLM application extension. This approach automates recertification across a broader rule population, enforcing review schedules, ownership validation, and rule attestation with minimal manual effort.

Together, these methods allow you to systematically validate rule necessity, maintain clear ownership, and retire rules that no longer serve a business purpose—supporting accountability, reducing risk, and maintaining audit readiness.

Why this matters

• Scheduled recertification workflows for policy owners to review and attest rules to enforce accountability and ownership.

• Automated processes to decommission expired or redundant rules.

• Continuous compliance and audit readiness.

• Compliance teams can verify that rules are current, reviewed, and approved, reducing audit findings and compliance risk.

• Expired or redundant rules are automatically identified and decommissioned, eliminating manual cleanup and minimizing attack surface.

Who this is for

• Network engineers responsible for recertifying rules and validating Rule Lifecycle Management (RLM) processes.

• Risk and compliance managers responsible for assessing risk and validating compliance.

• Business owners responsible for determining if rules are required to support business functions.

Features

• SecureChange workflows for certification management of a subset of rules:

  • Rule Recertification workflow to integrate and setup certification.

  • (Optional) Rule Modification workflow to edit policy rules, and provision changes.

  • (Optional) Rule Decommission workflow to delete a rule.

  • Rule Viewer to create tickets.

• Rule Lifecycle Management application extension for large-scale automated rule certification management .

Prerequisites

• Successful completion of:

  • Centralized Security Policy Visibility to add the devices to monitor.

  • Infrastructure Change Management to enforce standardized processes for rule and group changes.

• RLM application extension installed to configure and implement automated rule recertifications.

SecureChange workflow-based rule management

Use workflow-based rule management to recertify a selected set of rules through controlled, auditable SecureChange workflows, ensuring ownership, justification, and compliance for in-scope rules.

Step 1: Automate rule recertification

Rule recertification ensures that firewall rules remain valid over time. Automating this process allows you to systematically review rules, make certification decisions, and update metadata, supporting continuous compliance and audit readiness.

Use SecureChange's Workflows to create or reuse workflows that support rule lifecycle management.

Create a rule recertification workflow

A rule recertification workflow is used to review existing rules and confirm whether they are still required. Typical outcomes include extending a rule’s expiration date, updating ownership or justification, or identifying rules that should be decertified.

1. Go to SecureChange > Workflows.

2. From the Add New Workflow list, select Rule Recertifcation, or select an existing Rule Recertification workflow.

See Creating a custom workflow.

Add the Rule Recertification field to workflow steps

During the recertification process, handlers must make certification decisions and update rule metadata.
The Rule Recertification field enables handlers to define certification settings for the rule such as the certification duration and certification owner. These settings are inherited by every ticket that uses the workflow, ensuring consistent and reliable certifications.

Add the Rule Recertification field to one or more workflow steps where certification decisions are required.

See Rule Recertification field.

Step 2: Create rule recertification ticket

A ticket is a change request or a rule-related activity tracked in a ticketing system. Linking ticket information to rules allows you to track why a rule was reviewed, who requested the review, and who authorized the outcome.

Use SecureTrack's Rule Viewer to select the rules that require certification decisions and create recertification tickets for them.

To process these tickets in SecureChange, make sure you select SecureChange ticket when adding the ticket.

See Add tickets to rules.

Step 3: Manage rule recertification tickets

After you add tickets to the rules you selected in Rule Viewer, process these tickets to certify or decertify rules and update their metadata.

Use SecureChange's Tickets to manage certification decisions for rules.

Certify/decertify rules and update rule metadata

Selecting a ticket from the Tickets list opens it at its current step in the Rule Recertification workflow. If the ticket includes one or more rules, the Rules for Certification table lists each rule with their current certification status.

You can:

• Certify rules that meet policy and business requirements.

• Decertify rules that are unused, expired, or no longer compliant.

• Update rule metadata to push certification changes back to SecureTrack for visibility and accountability. Updating the metadata synchronizes the latest certification details and updates the Certification tab in the Rule Viewer.

See Certify/decertify rules.

RLM-based rule management

Use the Rule Lifecycle Management (RLM) application to automate large-scale rule recertification. The RLM app streamlines rule lifecycle processes by automatically assigning rule ownership, identifying rules that require review, and enforcing recertification actions with minimal manual effort.

Step 1: Configure RLM settings

Before using the RLM application, configure and verify the required settings to ensure proper integration, automation, and certification behavior.

Use RLM's Settings to verify and complete configuration.

Configure SecureChange integration settings

Configure the connection settings to integrate RLM with SecureChange. This integration allows RLM to retrieve rules, open certification tickets, and update rule metadata.

• Select a Rule Recertification workflow to be used for certification decisions.

• Enable the option to automatically update rule metadata so certification decisions are implemented without manual intervention.

• Optionally select Rule Decommission and Rule Modification workflows, if you want RLM to automate these actions.

See:

Configuring SecureChange workflows and users

Configuring rule recertification and expiration

Configure rule owners based on assets

To allow RLM to assign responsibility for rule certifications, map Rule Owners to the network devices or assets they manage. RLM uses this mapping to determine who must review and certify each rule.

• For a more intuitive view, use the Group toggle to group IPs/subnets.

• Group permissions override individual owner permissions.

See Mapping rule owners to assets.

Configure email notifications

Configure email notifications to alert Rule Owners when rules require certification or action. You can also define the content in the email notifications.
Notifications help ensure timely reviews and prevent certification delays.

See Configuring email notifications.

Step 2: Identify rules requiring certifications

After configuring RLM, identify rules that have expired or are approaching expiration by running on-demand or scheduled scans. These scans proactively surface rules that require review.

• Use RLM's Scan to run scans.

You can:

• Exclude specific rules or devices from scans.

• Run scans manually or define a recurring schedule with a start time and interval.

Scan results are displayed in the My Queue page, providing a centralized view of rules that require certification decisions.

See Scheduling or running a scan.

Step 3: Manage rule certifications

After a scan completes, RLM displays rules along with their current certification status.

At this stage, Rule Owners can:

• Review rules and make certification decisions

• Implement certification decisions

Use RLM's My Queues to view scanned rules, per rule owner and default owners of the access rules.

Select rules and assign certification decisions

Use the default All rules filter to identify rules that require certification decisions.

You can make certification decisions for:

• Multiple rulesdirectly from the My Queue page.

• Individual rules from Certification Details filter view, which shows the most recent certification decision on the rule, and comments from other owners.

Assign one of the following actions:

• Certify: Extend the expiration date. Confirm that rules meet policy and business requirements. Provide business justification and select a specific rule owner if multiple owners exist.

• Decertify:  Mark rules that unused, expired, or non-compliant. Also requires business justification.

• Request Reassignment: Request a change in rule ownership.

See:

Rule Owner: How rule recertification works

Recertifying rules

Implement certification decisions

Once at least one Rule Owner submits a certification decision, the rule moves to the Pending page.

From the Actions menu, Rule Owners or default owners can:

• Certify or decertify rules.

• Import a rule for partial mapping if there is a certification conflict.

• View comments and certification history.

• Track the rule's status until the rule is fully certified or decertified/disabled.

See Managing pending rules.

Resolve certification conflicts

If a rule has a Conflict status on the Pending page, it indicates that not all Rule Owners agree on the certification decision.

The App Admin can open a Rule Modification ticket in SecureChange to modify rule objects or ownership.

See Managing certification decision conflicts.

Step 4: Verify ticket and rule status sync

At the configured synchronization interval, RLM automatically synchronizes with SecureChange and creates tickets using the Rule Recertification workflow defined in RLM settings. This step ensures end-to-end traceability between certification decisions, tickets, and rule metadata.

These tickets:

• Implement certification decisions.

• Update rule metadata in SecureTrack access control lists.

• Use rule expiration dates to retrieve rules for future recertification.

See Tracking certification tickets.

Step 5: Verify auto-decomission for decertified rules

If you enabled Auto decertify in RLM Settings > Setup, RLM automatically opens Rule Decommission tickets for decertified rules.

Handlers and the Rule Owners decides to decommission the rule based on time or usage.